Pages

Thursday, 24 November 2011

Here is a cool opportunity which also raises some interesting questions

I just got asked to see if I could recommend a good AppSec and Reverse Engineer person to spend one month breaking the security of a tablet (and another device) that is coming to a place near you next year.

The brief is quite an interesting one, since it basically says: '...please root this device, show how to install malicious apps on it without root, and/or show how to extract encrypted content...' (so if you know somebody or are interested please ping me directly)

What is interesting about this gig is the company that it is from. Usually those corporate folks are bit more gentle and politically correct, but this shows that these guys really want to know first the problems (which is a nice evolution in our market). I have to say that 'finally' I have seen more people/customers who want to be secure (vs being compliant or wanting to been seen doing something about it).

It also shows how interconnected out day-to-day devices are becoming, and how big a can of worms (from a security point of view) they can/will be.

Note how web app security is staring to be more and more dependent with the devices that use it, for example, there could be a number of vulnerabilities created by how the client/server exchanges occur (it would be cool to root the device by tricking it into installing something via an reflected exploit on the server, would we call that a 'Reflected Root' vulnerability? :) ) .

This also feels a lot like the 'return of the fat client', where the vendors have so much control over the client's device that they extend the attack surface to it (which could lead to a number of security decisions being made on the wrong location).

Wednesday, 23 November 2011

For the more advanced O2 users out there, I just committed a new set of O2 scripts that implement two very powerful capabilities

O2 Web Proxy - native (to O2) web proxy that sits between the IE automation object and the rest of the world (although inside the same O2 .Net process). This was based on the code in http://www.codeproject.com/KB/IP/HTTPSDebuggingProxy.aspx and it givesO2 something that I have been wanting for years now: Programatically access to a Web Proxy. This opens up a LARGE number of testing/fuzzing capabilities and dramatically simplify IE analysis tasts (for example, something that is now simple to get is the full value of the Cookies (and Headers) sent to/from the IE browser (the http-only cookes for example were really hard to get) )

O2 WAF Simulator - built on top of the O2 Web Proxy, I was able to quickly create a WAF simulator which uses the O2 Proxy's callbacks to fix a couple vulnerabilities in the test app I was looking at (great when talking to developers about the vulnerabilities discovered and its possible fixes)

I will shortly put more details about this on the O2 blog

What I like the most about these two new capabilities, is that this was all created/implemented in about 4h of focused-development (and shows how powerful O2's APIs and quick-prototyping development environment have become)

Hi, I need to integrate Cucumber into O2, so I was wondering if I could get some help.

Here is my first set of challenges:

I need a couple Cucumber scripts (running on top of Ruby) that do some kind of web actions (ideally on a vuln app like webgoat, http://google-gruyere.appspot.com, hacmebank, etc...) so that we can test the following scenarios:

Trigger this tests directly from O2 (including seeing its results). This could be as simple as triggering Cucumber from the command line

Run those same tests via a security proxy/tool/scanner so that we can 'teach it' how to app works. This should work for any tool that can act like a proxy, but to start, I would like to run it on

OWASP ZAP

NetSparker

AppScan Standard

Burp

Use IronPython to run cucumber tests/features directly in .NET/O2 so that I can create a solid two way communication and instrumentation between those scripts and O2 (i.e. O2 to consume them directly, and the scripts being able to access O2 APIs)

Friday, 11 November 2011

(comment I made on the OWASP mailing list last week which contains some ideas on where I see OWASP going next)

Stephen, you absolutely shouldn't feel guilty of 'only' contributing to OWASP through your regular bursts of energy (I put 'only' in quotes, since you are one of my favorite OWASP stories, and a talent that I'm very proud to have helped to attract to OWASP) . Your type of contributions is one of the things that have built OWASP and it is one of its most amazing characteristics.

In fact, my view, the job of OWASP 'the organization' is to make sure that when you do focus and want to commit some energy, there is an environment (or ecosystem) that will make that process as productive, enjoyable and efficient as possible.

In that light, OWASP 'the organization' should be much more like an event organizer (think 'music production company') than a big 'we have the vision and know it all' type of org.

Please don't be to hard on Mark since his heart is absolutely on the right place (and let's not really judge Microsoft's ethics since most large companies these days wont get a clean bill of health :) ).

One think I learned from playing music is that you have to listen to the audience's comments, and most of the times they say (from your point of view of course) the right thing the wrong way (or not the same way you would articulate it).

Mark wants a more professional and focused approach to OWASP, where there is energy and commitment in the creation of very professional, high-quality, well presented, easy to use/adopt and community-friendly deliveries (tools, books, guides, dev outreach, etc...).

Which is exactly what I also want.

That doesn't mean that we stop supporting the grassroots movements and activities that allowed OWASP to be want is it today (and empower its contributors to 'just get on with it and try to find a solution'). It means instead that we need to put a lot more investment and effort into creating an operational machine that will support it (we have the talent at OWASP, what we don't have is the operational machine (which OWASP's leaders are not really good at, or have time to dedicated to it)).

Part of the problem is that there is still this view at OWASP that we need:

a strong mission, vision, etc...

high level commitments/endorsements and

centrally controlled activities

.... as if we had those anything would happen because of it :)

Part of the problem of this type of thinking, is that it creates an environment where Mark (correctly under that thinking) was expecting a level of support and endorsement for his ideas that is just not possible at OWASP.

The irony is that there are lots of really great leaders inside OWASP that share Mark's wish for a more professional and dev-community-friendly OWASP. Unfortunately we (OWASP) still have not come up with an operational model that allow those groups to aggregate and flourish (I don't think the current Commitees structure are the right structure, but maybe the https://www.owasp.org/index.php/Security_Ecosystem_Project is a better one).

Btw, for me the only vision and mission that OWASP needs is three (or maybe two) words: Web Application Security or maybe just even two: Application Security

So please embrace Mark's ideas and comments, you might not like his style (like many don't like mine), but he is carrying a important message.

Think about this, we are lucky that Mark cared enough about OWASP that he spent his time documenting and talking about his issues and problems. We would be much worse if he had just ignored OWASP. In fact, I wish he blogged more about his ideas for OWASP since there are some great stuff in there :). He also talks to a lot of people about OWASP, specially from people who would like to be involved at OWASP but have not found their sweet spot. We need to hear those voices and find ways to connect to them.

Monday, 7 November 2011

Yesterday when looking for the ASP.NET XSS mappings I found an article that presents a solution that I have been looking for ages: Changing the behaviour of theASP.NET<%= tag so that it encodes by default.

If we really want to help developers to fix they code, we ultimately need to move all the way into their IDEs and actually provide them code-fixes in context!

A while back somebody asked me how to perform actually .NET code changes and patches using O2's .NET Static Analysis engine, and I wrote a little PoC that clearly shows how that can be done (and a preview of what the future looks like).

I really like this concept and it is sort of similar to what Spring is doing with Roo (http://www.springsource.org/spring-roo) where the developer's code is automatically refactored in order to meet specific objectives

Render the Html Tag control in isolation (which will allow these tests to be run from vanilla UnitTests)

Quickly put Html content in a browser and see what it looks like

Quickly fire-up an .NET Webserver on a local directory, create a test *.aspx page, and see its contents (rendered from the ASP.NET server)

Test some payloads on the *.aspx page and confirm (or not) the exploitability of this control (a good follow-up script to write is to run the FuzzDB on this property and see which ones work)

Since it is safe to assume that the Href from an HtmlAnchor should not have " (and other dangerous chars) in its rendered text (it should be encoded), shouldn't this be classified as a vulnerability in the Asp.Net Framework? Specially since it bypasses the ASP.NET build-in validation.

Is this documented somewhere? I know there is (somewhere) a list of all ASP.NET mappings (so it should be there), but I just looked at the MS pages for the HtmlAnchor tag and there is no mention in there for the security implications of this:

So with the public launch of TeamMentor Beta I now have a nice problem to solve:

"How to write UnitTests (Browser Automation and WS driven) that test for the valid state of the TM test websites (http://50.19.221.68:90 and http://50.19.221.68:91) and ensure that they have not been spectacularly modified, modified or hacked :)"

Last night SI (Security Innovation) released the public beta of the product I have been working for the past 7 months. It is called TeamMentor (TM) and it is a web based tool to create and distribute security knowledge.

There are lots that I want to talk about this project (specially since O2 was used for its development and there is product is a great case study of the power of O2 when used as a developer-helping tool). Also, SI is more than happy for me to talk about the internals of TM, how it evolved and its architecture (which is a rare thing in product companies)